Truth About Computer Security Hysteria
Email security turned on its head — but it's no big dealRob Rosenberger, Vmyths co-founder
Tuesday, 17 August 1999
YES, I DISCOVERED "yet another" worldwide threat to computing. Actually, I re-discovered an ancient hacking method, then I gave it an evolutionary boost. It changed the way we perceive email security, but it started falling into oblivion before I announced it publicly. Experts will soon add it to a list of obscure things they get paid to fret about.
We sometimes stone the messenger of bad news, so I considered my options before giving a lecture about the vulnerability. Network Associates held a telephone press conference to warn the world about Remote Explorer, but I decided against this approach. Finjan demonstrated Russian New Year to anyone who participated in their press conference, but I decided against this approach as well. Lectures at DEFCON or a local 2600 club meeting didn't seem like an appropriate forum, either.
I finally chose to give a lecture to St. Louis computer professionals. This didn't sit well with Network Associates, which surprises me. (They called it an "irresponsible" choice.) Anyway, I set up my lecture for 6 August.
I started talking in early July to firms with vulnerable products. I also notified some computer emergency response agencies. (CIAC accidentally told one reporter I failed to alert them. The agency quickly apologized for the error.) I alerted Microsoft's security team, too. I added about $350 to my regular July phone bill and I paid for it entirely out of my own pocket.
I provided working samples to each antivirus vendor & alert agency which requested them. I charged $0 for this service, by the way. No vendor needs to bribe me in the name of computer security.
I don't work for a consulting firm and I don't run advertisements on this website ... yet some people chided me for trying to drum up more consulting business. One person called me "a bit of an egomaniac" (no argument there), but I object strongly to his opinion that I'm "on a crusade to hurt" antivirus vendors. Actually, I'm on a different crusade.
I wrote to Dr. Fred Cohen to learn how to deal with people who may "blame" me for divulging this vulnerability. "You need to balance the benefits with the risks and make the best decision you can," he advised. "I would not be concerned. This is more or less 10+ year old news, and anyone who doesn't understand it hasn't been to a good info-sec 101 course." The computing world originally "blamed" Cohen for the concept of viruses, so his responses to shallow criticism come from experience:
After reading Cohen's advice, I added a possible response of my own: "you're lucky I notified vendors & agencies in advance. Some people post detailed instructions and working examples on a website with little or no advance notice."
You might know about an old debate when experts acknowledged an email could destroy data in obscure cases if you read it with your eyeballs. Richard M. Smith (Phar Lap) burst onto the scene in 1996 with a simple way to exploit Netscape email clients. BO2K author "DilDog" earned a merit badge in 1997 with the Res:// exploit for email clients. And, of course, too many users prefer Microsoft Word as their email client.
The experts acknowledged bad things could happen in theory just by reading an email. A new debate sprang up — skeptics asked fearmongers to point out a threat with real teeth in it. Fearmongers lost the argument because attackers seldom use "auto-malicious email" against victims.
I think we've reached the point where we'll stop saying "an email can't hurt your computer if you just read it with your eyeballs." (sigh) This attack methodology will quickly lose its teeth, but right now we can easily knock out networks with an email nobody ever reads.
I expect fearmongers will run around screaming "see, I told you so! I told you email was dangerous!" God only knows what kind of hysteria will spring forth from scared users. "Should I give up email for good?" (Anyone who asks me this question will get a "yes" response.) The truly wild-eyed fearmongers will scream "it's the Good Times virus for real!"
I said it before and I'll say it again. Email will go on with barely a burp. Our opinion of email security will shift 90 degrees but it won't make a difference to the people who use it. Even a worst-case scenario (script kiddies screw up the world's email for a month) will pass like a burp. We'd all just send email to each other in January of 2000 saying "do you remember when the world couldn't send email in the second half of August?"
I just never expected to find myself at the center of a debate over whether you could mess with a server just by sending an email no one ever reads...
Okay, let's wrap up with a few kudos. Every antivirus vendor worked with me — not against me — when I briefed them. Experts from each company called for details; most asked for comments on their solution strategies. Every one of them kept quiet about it to give competitors the luxury of time to fix their products. Vendors said they appreciated the fact a computer security skeptic re-discovered this attack methodology.
It's no longer "just" an email — but this whole thing will pass into obscurity. Count on it.